Information Exposure Affecting github.com/prebid/prebid-server/privacy/ccpa package, versions <0.113.0


0.0
high
  • Attack Complexity

    Low

  • Scope

    Changed

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GITHUBCOMPREBIDPREBIDSERVERPRIVACYCCPA-1015605

  • published

    18 May 2020

  • disclosed

    18 May 2020

  • credit

    djcsdy

How to fix?

Upgrade github.com/prebid/prebid-server/privacy/ccpa to version 0.113.0 or higher.

Overview

github.com/prebid/prebid-server/privacy/ccpa is an open source implementation of Server-Side Header Bidding.

Affected versions of this package are vulnerable to Information Exposure. Specifically, privacy/ccpa/policy.go and privacy/gdpr/policy.go include code that attempts to generate JSON by concatenating strings. If the us_privacy or consent fields contain the character ", this can produce malformed JSON, or JSON with an unintended structure. An attacker could exploit this bug to trick Prebid Server into mutating an OpenRTB bid request to contain arbitrary data, bypassing validation.

References